Critical security issue in Foreman Remote Execution and Foreman Ansible

on behalf of Ivan Nečas who worked on the fix:

A critical security issue CVE-2018-14643 has been discovered
in the Remote Execution plugin (within the smart_proxy_dynflow package).
This issue allows an unauthorized remote attacker to perform arbitrary code
execution on managed hosts.

The affected version of smart_proxy_dynflow package are 0.1.8 and later
(Foreman >= 1.15). Users of Foreman Remote Execution and Foreman Ansible
are affected by this issue.

The fix for this issue has been merged and the releases
are being prepared in the following packaging PRs:

After updating the packages, it’s required to run systemctl restart foreman-proxy

To mitigate the issue before updating the packages, it’s possible to
temporary disable the remote execution functionality by the following
configuration change:

sed -i 's/:enabled: .*/:enabled: false/'
systemctl restart foreman-proxy

The package is needed to be update on all hosts that run foreman-proxy
with dynflow feature, which means usually the main foreman server, where
often the default smart proxy is running, as well as all smart proxies
with dynflow feature

We will keep this post updated with informing about the availability of the
fixes in official repositories, once we get them though the release process.

The issue has been discovered by the core development team and we are not
aware of any public disclosures of this issues up until today, with the
official CVE.


This issue has been introduced as a regression with this commit,
where adding alternative authorization mechanism for async callback from
remote hosts caused the original authorization to by bypassed.

As part of the fixing patch, we also added additional set of tests to make
sure we don’t run into this issue again.


Release updates:

The deb packages should not have the required updates for ruby-smart-proxy-dynflow available in all affected repos (1.15+).

The rpm packages for 1.18+ are now build in Koji and are waiting to be meshed into the corresponding 1.18+ yum repositories.

For rpm for 1.15+, we’re still resolving the builds, but I believe we’re close to have them ready as well: I will keep you posted.

Another update about available releases.

The rubygem-smart_proxy_dynflow-0.2.1-1 is now available in 1.18, 1.19 and nightly repositories.

The build for 1.15, 1.16, 1.17 built here and it will be pushed to yum repos within 24 hours.

To repeat, after the package is updated, it’s needed to call systemctl restart smart-proxy

Probably the last update: all repositories (1.15, 1.16, 1.17, 1.18, 1.19 and nightly) in rpm as well as deb should have not the proper fixes available now.

If you did not update yet, we strongly encourage to do so now.

It took a bit longer to get the builds though the 1.15 and 1.16, as they are not officially supported anymore, but we felt this issue is important enough to have it fixed even if somebody is not fortunate to run newer releases at the moment (while we encourage everyone to keep their setups up-to-date)